Backdoor.IrcContact is a backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens port 6667 on the infected computer. Backdoor.IrcContact is packed using ASPack v2.12.

It copies itself as Syswin32.exe or Syswin.exe into the %system% folder. In addition, it drops the file Syswin32.dll or Syswin.dll (this is a text file that contains the Trojan's connection settings) into the %system% folder.

NOTE: %system% is a variable. The Trojan locates the System folder and copies the files to that location. By default this is C:\Windows\System (Windows 95/98/Millenium), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The Trojan creates one of these values

syswin32 %system%\syswin32.exe
syswin %system%\syswin.exe

in the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the Trojan starts when you start or restart Windows.

If the operating system is Windows 95/98/Millenium, the Trojan registers itself as a service process, so that it continues to run after you log off. In this case, Backdoor.IrcContact closes only when the system is shut down.

After Backdoor.IrcContact is installed, it joins a specific IRC channel and then waits for commands from the remote client. The commands allow the hacker to perform the following actions:

Deliver system and network information to the hacker

Manage the installation of the backdoor Trojan

Download and execute files

Perform Denial of Service (DoS) attacks

Inventory and activate windows of programs that are running

Restart the computer

removal instructions

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Do one of the following:
Windows 95/98/Millenium: Restart the computer in Safe mode.
Windows NT/2000/XP: End the Trojan process.
3. Run a full system scan, and delete all files that are detected as Backdoor.IrcContact.
4. Reverse the changes that the Trojan made to the registry.

To restart the computer in Safe mode or end the Trojan process:

Windows 95/98/Millenium
Restart the computer in Safe mode. All Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document How to start the computer in Safe Mode.

Windows NT/2000/XP
To end the Trojan process:

1. Press Ctrl+Alt+Delete once.
2. Click Task Manager.
3. Click the Processes tab.
4. Double-click the Image Name column header to sort the processes alphabetically.
5. Scroll through the list, and look for Syswin32.exe or Syswin.exe.
6. If you find the file, click it, and then click End Process.
7. Exit the Task Manager.

To scan for and delete the infected files:

1. Start your Symantec antivirus program, and make sure that it is configured to scan all files.

2. Run a full system scan.
3. If any files are detected as infected with Backdoor.IrcContact, click Delete.

To reverse the changes that the Trojan made to the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.